The company provides users with a detailed ancestry breakdown based on their DNA. Leaked data suggests that 23andMe's customers include Elon Musk and Mark Zuckerberg. The data breach wasn't a hack of 23andMe's company systems, but a mass targeting of individual users, through what is called a "credential stuffing" attack.
A credential stuffing attack occurs when hackers test usernames and passwords from previous hacks to see if individuals are using the same details.
With credential stuffing, cyber criminals use automated tools and stolen username and password pairs to break into systems and gain access to legitimate user accounts. This technique is often successful because many users tend to reuse their login credentials for different websites.
When user credentials like usernames and passwords are exposed in a data breach or phishing attack, attackers use them to compromise other accounts. Credential stuffing is dangerous for both consumers and enterprises like 23andMe because of the ripple effects of credential theft.
The company said no actual genetic information was taken. Instead, hackers managed to access high-level account data, such as personal information and users' geographic ancestry breakdown.
This breakdown reveals where a person’s genes have come from. For example, a user may be of 50 percent Irish heritage, 25 percent Norwegian, 12.5 percent Welsh and 12.5 percent Baltic. It may seem strange to steal this kind of information, but hackers may be more interested in personal information.
Professor Alan Woodward, a cyber security specialist based at the University of Surrey, explained that this hack is valuable for hackers because they are targeting personal information that "might be used in scams later."
Woodward explained that hackers will target information like names, addresses, telephone numbers and general personal information because they can then sell this to scammers.
Using the stolen data, scammers will write more targeted spam emails. When victims receive an email that starts "Dear Alan" instead of "Dear valued customer," some of them may think the emails are legitimate because they know who you are.
Woodward added that when talking about the genetic information itself, "it may have some value in the future." However, he doesn't see an obvious way for hackers to monetize it currently. (Related: Caesars Entertainment pays ransom following cyberattack on casino.)
Woodward added that it would be more alarming if hackers had information like fingerprints because biometric data, such as your face and fingerprints, "can't be changed once it's out in the public, and can be used to access things."
Additionally, the information generated by commercial DNA tests is not limited to geography. The results also include medical predictions that show your likelihood of developing particular diseases or characteristics such as Alzheimer’s, diabetes or male pattern baldness.
Woodward noted that medical predictions "may be important in society one day," such as for insurance companies. While the information is one of those things you'd rather not have out there, it probably won’t put you at risk now," added the cyber security specialist.
But the medical information supplied by tests from companies like 23andMe also raises concerns over "DNA hacking."
After all, are there measures in place to prevent someone from checking if a prospective partner is "likely to go bald, or develop cancer." This information could also be used to sabotage people's careers, such as highlighting health risks that may limit their working life.
There is actually protection in place against such DNA hacking in the United Kingdom.
Under section 45 of the U.K. Human Tissue Act of 2004, the non-consensual retrieval of another person's bodily material for genetic analysis is considered a criminal offense.
However, proving this has taken place can be tricky. It's also not a high priority for the police. Additionally, it is difficult, if not impossible, for commercial companies to verify the DNA being tested belongs to the person giving the sample when it is sent by post rather than taken in person.
Samples may not always be sent "secretly" for nefarious purposes, such as when users may want to surprise family members or loved ones with their results. In these instances, some lives have been changed significantly.
For example, people who were adopted or those involved in infidelity have had the news broken to them through a computer screen. Stories told about a family’s history can be exposed as fiction, while some spouses have discovered that they are related.
But when it comes to the cold, hard data, unwittingly having your DNA sampled could have other serious repercussions.
Woodward explained that there are civil liberty concerns to think about. If the police take your DNA, they shouldn’t keep it unless you’re charged because you don’t want the police to have a general database where they can run any DNA found at a crime scene against it.
However, more than an estimated 100 million people have submitted their DNA – or had it submitted on their behalf – to various testing companies like 23andMe, making it possible that the police can one day build such as database.
In 2018, Joseph James DeAngelo – one of California’s most prolific serial killers and rapists – was arrested after police matched his DNA to a relative who had had their DNA tested online. DeAngelo later pleaded guilty to multiple counts of murder and kidnapping.
Major commercial companies like 23andMe and Ancestry claim that they do not voluntarily comply with law enforcement, although their terms and conditions provide for exceptional circumstances. But investigative genetic genealogy as it is known does not necessarily require backdoor access to certain individuals.
DeAngelo was caught after the police searched GEDmatch, a free online database where users can add their results after taking a commercial test.
With the recent hack on 23andMe, there is now more DNA information out there.
Many people won’t mind, especially those who easily share their date of birth while shopping or telephone number while booking a restaurant. But all of these add to your digital footprint and right now, your DNA is the least valuable.
But technology quickly advances. While it remains to be seen how the data could be used in the future, once out there, it will be very hard to get back.
To avoid the loss of your personal information, always use a strong password and do not reuse them.
Learn more about hacking incidents and scams at Glitch.news.
Watch the video below to learn more about a major personal information leak in Ontario.
This video is from the KevinJJohnston channel on Brighteon.com.
Europe hits TikTok with $368 million fine for mishandling children’s personal info.
Italian data privacy watchdog accuses ChatGPT of scraping people’s data.
Sources include: